Apple already shipped attestation on the web, and we barely noticed

I have spent a lot of time working on integrating private access tokens into my project, and I believe I understand how it works. I do not agree with the article’s points on why this bad. PATs are meant to reduce browsing friction, not increase it. Now if you are trying to google something under a spammy vpn node, you get either a captcha or fully blocked. With PAT, your device can guarantee you are not a spammer, and system would let you through without captchas or timing you out. This is all it does. If your device is not capable of signing PAT, then it is supposed to just fallback to default behavior.

You're not thinking fourth dimensionally. Yes that's how it is now. But the majority of users aren't using PATs so if you want people using your website you have to provide a reasonable experience for unverified users. Once 99% of users are using PATs, you'd be stupid not to require them. Severely degrading (through captchas) or outright blocking unverified clients would be trivial. Hell, I'd wager firewall software will even show you these blockages as "blocked attack" or "blocked dangerous client" or something like that.

Even if we assume that captchas are the only thing this can be restricted to (which, if attestation is widely deployed, they won't be restricted to), why is it good to make people using locked-down Apple devices with logged in Apple IDs have fewer captchas? It's a protection racket.